Contents

Introduction

This scenario has been designed to allow 16 student groups to work together configuring firewalls and using security related tools and Linux security oriented distributions like Kali Linux and Metasploitable. This scenario has been succesfully used in DIT-UPM for years in graduate, master and professional training courses.

The full scenario is divided on 8 basic scenarios (Fig. 1) that include the virtual machines used by two student groups. Each student pod is made of a simple corporate network with a DMZ network running a vulnerable server and an internal network with some hosts, as well as an attacker host on Internet with Kali Linux. Additionaly, a server on Internet is included to allow testing connectivity from inside the corporate network to Internet.

Starting the scenario

The whole scenario is made of 8 basic scenarios (fw-A.xml, fw-B.xml ... fw-H.xml). Depending on the number of student pods required, start as much scenarios as you need. All the basic scenarios share the "Internet" subnet, so if you start several of them you will get automatic connectivity among all systems (routers run quagga OSPF daemon to provide it).

There is also an scenario named "fw.xml" designed to be used individually that includes only the first pod of fw-A.xml scenario.

To start a basic scenario:

vnx -f fw-A.xml -v --create

Figure 2: fw-A scenario topology

Accessing virtual machines

You have several possibilities to access the virtual machines in the scenario:

Using VM consoles

If you have access to the console of the system where the scenario has been started, you can access the VM consoles directly. All VM offer a textual console but the attackers running Linux that also offer a graphical console.

Using ssh

All the scenarios are configured with VM management interfaces enabled, so you can access all VM from the system where the scenario was started using ssh. Specially useful is to access using "X forwarding option" to be able to start graphical applications.

For example, to access a firewall and start fwbuilder application:

slogin fw -X
fwbuilder

Connecting from external machines

Specially useful is the posibility to integrate external equipment into the scenario, mainly the laboratory PCs, for example, to allow the students to work from a lab PC which is directly connected to the internal net of their scenario.

To do that, you can use the configuration we use in our DIT-UPM laboratories (Fig. 3):

A VLAN based switch (VLABswitch) to support the external connections.

Laboratory PCs with two Ethernet interfaces, one connected to the production network and another used to connect to VLABswitch.